Can Custom Authentication Procedure Change APP_USER?

I have a custom authentication procedure that authenticates the user against Active Directory. In the procedure, I look up the user's proper case name, using the non-case-sensitive user name they typed in.
I'm doing this:
HTMLDB_CUSTOM_AUTH.set_user(p_user => s_username);
OWA_COOKIE.send(NAME => 'LOGIN_USERNAME_COOKIE', VALUE => v('APP_USER'));
The cookie seems to be correct, but the area at the upper right of each page doesn't show the proper case username and the client_id column of the dba_audit trail view doesn't show it either.
What am I doing wrong?
-F

Hi Scott.
In my authentication scheme, I have this for my Athentication Function:
return dar_authentication_pack.get_user_authenticated_func
The function is declared like this in the package specification:
FUNCTION get_user_authenticated_func(
p_username IN VARCHAR2,
p_password IN VARCHAR2,
p_preserve_case IN BOOLEAN DEFAULT True
RETURN BOOLEAN;
In my login page, the "Login" Page Process is this:
begin
wwv_flow_custom_auth_std.login(
P_UNAME => :P101_USERNAME,
P_PASSWORD => :P101_PASSWORD,
p_preserve_case => True,
P_SESSION_ID => V('APP_SESSION'),
P_FLOW_PAGE => :APP_ID||':4'
end;
I'd like to be able to change APP_USER from what the person entered to the Proper Case version of it that I have found in Active Directory. What is the best way to do this?
-F

Similar Messages

OWA_SEC.CUSTOM package - Custom authentication procedures...

Folks -
I haven't ever used the OWA_SEC.CUSTOM package for custom authentication of a psp application - and now need to do so. The documentation doesn't have any examples of what I need to do. Although there is plenty of documentation - it all says the same stuff, without saying what developers need to do to get it to work.
For example I have updated the following files in the following ways - and still it doesn't work:
owapriv.sql - updated the line that says:
auth_scheme := OWA_SEC.NO_CHECK;
to :
auth_scheme := OWA_SEC.CUSTOM;
owacust.sql - updated to say:
create or replace package body OWA_CUSTOM is
/* Global PLSQL Agent Authorization callback function - */
/* It is used when PLSQL Agent's authorization scheme is set to */
/* GLOBAL or CUSTOM when there is overriding OWA_CUSTOM package.*/
/* This is a default implementation. User should modify. */
function authorize return boolean is
v_username varchar2(30);
v_pass varchar2(30);
BEGIN
owa_sec.set_authorization(OWA_SEC.CUSTOM);
owa_sec.set_protection_realm('my_app');
v_username := owa_sec.get_user_id;
v_pass := owa_sec.get_password;
IF v_username = 'cmanning' THEN
return TRUE;
ELSE
return FALSE;
END IF;
end;
end;
show errors
wdbsvrapp.sql looks like this:
[DAD_mydad]
connect_string = my_connect_string
password = my_password
username = my_username
default_page = my_default_package.procedure
;document_table =
;document_path =
;document_proc =
;upload_as_long_raw =
;upload_as_blob =
name_prefix =
;always_describe =
;after_proc =
;before_proc =
reuse = Yes
connmax = 20
;pathalias =
;pathaliasproc =
enablesso = No
;custom_auth =
Can anyone tell me what I am missing / doing wrong.
For example:
When I take out the username/password reference from the wdbsvr.app file - the browswer tries to authenticate me and the only username/password that validates is the username/password of the database user.
I don't want to have to have database users for every application user that should be authenticated in my application. I want to put a routine in the owacust.sql file that authenticates users (via my own routine or an optional LDAP/radius/SecurID lookup). In this basic example - I am only validating with the cmanning/cmanning combination.
From what I understand in the documentation - if I use OWA_SEC.CUSTOM - then I don't have to put a .authorize function in every package - the OWA agent simply authenticates every request via the OWA_CUSTOM.authorize function.....
Dude - what's up?
Can someone from the Big O help a brother out?
cfm
null

Charles
It looks to me like you want your users authenticated when they try to view your pl/sql-generated html pages, but you want to control the validation with custom code.
You appear to be trying to use owa_custom.authorize to authorize each request, which seems like a good approach.
This whole area is quite complex and I have never found any really comprehensive doco on it. Here are my thoughts which others might like to comment on.
This is a simple version of owa_custom:
PACKAGE BODY OWA_CUSTOM IS
FUNCTION authorize return boolean is
BEGIN
owa_sec.set_protection_realm('aRealm');
if owa.user_id is null then
return false;
else
return my_validate_user
(owa.user_id,owa.get_password);
end if;
exception
RETURN FALSE;
END authorize;
begin
owa_sec.set_authorization(OWA_SEC.GLOBAL);
end;
Note the begin block that applies to the package and sets authorization to GLOBAL when the package is loaded.
The authentication mode in the DAD will need to be Global Owa (afaik) and you will need to supply an oracle username and password in the DAD. ie. you will authenticate the userid/password supplied by the user and then the user will connect to the database as the oracle user specified in the DAD.
I cannot test this code at the moment. Nor can I give you complete instructions to set up authentication from scratch. But here's a brief description of what the code should do.
1. It sets authorization to GLOBAL. So mod_plsql will call owa_custom.authorize for every request. That is, you don't call owa_custom.authorize, it will be done for you and the internals probably look like this:
if owa_custom.authorize then
user_requesed_page(user_supplied_args);
else
send_access_denied;
end if;
2. It sets up a realm, which is relevant to HTTP Basic Authentication and its challenge/response. (You don't have to use HTTP Basic Authentication. An alternative is to present a login form to the user, then you manage the userid/password.)
3. It looks in owa.user_id which will hold the userid supplied by the browser after a HTTP Basic Authentication challenge/response.
4. It uses your custom code to validate the userid and password once the user has been challenged to provide these. You obviously have to create the my_validate_user procedure in the schema and package of your choice.
5. It does not time users out, it does not sustain multi-sessions per user via cookies and it does not support logout without shutting the browsers. But it is simpler for lacking these features.
If this is a way you want to try then your first aim should be to make sure owa_custom is called globally and that it lets you into the database via the DAD-supplied userid and password. You may need some way of writing debug on the server using utl_file to confirm it is being called. Or you could make it return true unconditionally, request a page, then make it return false and request a page.
This is just a start, but let me know if it is on topic.
It would be great to hear suggestions and comments from others on authentication for an htp application under iAS.
Has anyone tried DB Prism?
null

How can you create a customized page to change user password?

Hello to all,
I would like to create a customized page for a user to change their password. We are using Portal version 3.0.9 on Windows NT/2000. Currently there is a page in portal where a user can change their password.
I tried linking to that page by copying the shortcut url and adding it as an html portlet. The problem is that we want to direct the users to a
page of our choosing when they click on the "cancel" and "ok" buttons. I read in the forums that there is a selfreg.cmd script.
I also read that there is some code that has been available.
Has anyone implemented a customized user password change page? Do you know of any links that might have steps to follow or
more informatioin?
Thanks in advance,
Lindsay

Hi,
I was able to customize the change password screen through a procedure. This is what I did:
* Created a procedure under the Portal30_sso schema:
CREATE OR REPLACE procedure reports_chage_password
site2pstoretoken in varchar2 default null
,p_username in varchar2 default null
,p_error_code in varchar2 default null
,p_submit_url in varchar2 default null
,p_done_url in varchar2 default null
,p_pwd_is_exp in varchar2 default null
,p_password in varchar2 default null
is
begin
htp.htmlopen;
htp.headopen;
htp.title ('<TITLE of Page>');
htp.headclose;
htp.bodyopen;
htp.p('<table width="100%"><tr><td colspan=2 align=center><IMG SRC=<directory of image if you want>"> <hr> </td></tr>');
htp.p('<tr><td colspan=2 align=center>');
htp.p('');
htp.header(nsize => 1 ,cheader => 'Change Password');
htp.p('');
htp.p('</td></tr><tr><td align=right>');
htp.formopen(curl => p_submit_url );
htp.p('');
htp.p ('Username:');
htp.p('</td><td alight=left>');
htp.p(p_username);
htp.p('');
htp.p('</td></tr>');
htp.formHidden(cname => 'p_username',cvalue => p_username);
htp.br;
htp.p('<tr><td align=right>');
htp.p('');
htp.p ('Old Password: ');
htp.p('');
htp.p('</td><td align=left>');
htp.p ( htf.formPassword(cname => 'p_old_password',csize => 30,cmaxlength => 30) );
htp.p('</td></tr>');
htp.br;
htp.p('<tr><td align=right>');
htp.p('');
htp.p ('New Password: ');
htp.p('');
htp.p('</td><td align=left>');
htp.p ( htf.formPassword(cname => 'p_new_password',csize => 30,cmaxlength => 30) );
htp.p('</td></tr>');
htp.br;
htp.p('<tr><td align=right>');
htp.p('');
htp.p ('Confirm New Password: ');
htp.p('');
htp.p('</td><td align=left>');
htp.p ( htf.formPassword(cname => 'p_new_password_confirm',csize => 30,cmaxlength => 30) );
htp.p('</td></tr>');
htp.p('<tr><td rowsapn=2>');
htp.formHidden(cname => 'p_done_url',cvalue => '<the url that you want users to go to when they are done>');
htp.formHidden(cname => 'p_pwd_is_exp',cvalue => p_pwd_is_exp);
htp.formHidden(cname => 'p_password',cvalue => p_password);
htp.formHidden(cname => 'site2pstoretoken',cvalue => site2pstoretoken);
htp.p('</td></tr>');
htp.p('<tr><td align=right>');
htp.formSubmit(cname => 'p_action',cvalue => 'OK');
htp.p('</td><td align=left>');
htp.formSubmit(cname => 'p_action',cvalue => 'CANCEL');
htp.p('</td></tr></table>');
if p_error_code is not null then
htp.br;
htp.fontOpen(ccolor=> 'red', csize=> 4);
if p_error_code = 'auth_fail_err' then
htp.p('Old password is incorrect');
elsif p_error_code = 'pwd_rule_err' then
htp.p('The new password does not follow '||
'the password policies.');
htp.br;
htp.p('Verify with your System Administrator '||
'about the Password Policies');
elsif p_error_code = 'confirm_pwd_fail_txt' then
htp.p('Confirmation for new passord is not '||
'the same as the New Passowrd');
elsif p_error_code = 'null_new_pwd_err' then
htp.p('New password cannot be null');
elsif p_error_code = 'null_old_pwd_err' then
htp.p('Old password cannot be null');
else
htp.p ('Error: ' || p_error_code );
end if;
htp.fontClose;
end if;
end;
* Grant this procedure to PUBLIC
* Update the portal30_sso.wwsso_ls_configuration_info_$:
UPDATE portal30_sso.wwsso_ls_configuration_info_$
SET LOGIN URL = '<YOUR CUSTOM LOGIN URL OR THE WORD UNUSED IF YOU DON'T HAVE ONE> http://<MACHINE_NAME>.<DOMAIN>/pls/portal30_sso/portal30_sso.<NAME OF PROCEDURE>';
* After you update the table, go to your account information link, and click on the change password link.
* Then copy the url that you see in your address line
* And if you want a change password link at the top of your portal page, just go to EDIT on your page, then edit the banner defaults. Then in the links add the Lable and the URL. The URL would be the URL you copied from the previous step.
Hope this helps.
I've customized the login page too if you would like some sample code for that. Let me know.
Martin

Customer pricing procedure is changed after creating order

Hi Gurus,
the issue is   we have created an order and pricing procedure is determined in the order. Now the user wants to get a new pricing procedure determined for this order. So he have changed the Customer pricing procedure in Customer master data. He assumed that new pricing procedure will be determined for the order which is already created. But it didnt happen. As per my knowledge pricing procedure canot be redetermined for already created orders. My question is
how to redetermine the pricing procedure for the order ? is there any way to get a new pricing procedure for the order in change mode?
what should we do. we need to delete the order and create a new one or is there any way to get the new pricing procudure for the order?

Hi ,
   basically pricing prodeure is determined by a combination of three things
       Doc pricing procedureCustomer Pricing proceduresales area .
   You can see this using transaction OVKK. So you have to consider all the three things.
In sales doc we have the option of updating the pricing. If you do that i think it will redetermine the procedure and your issue will be solved.
Thanks,
Shyam

Form apply changes results in Unable to fetch custom authentication functio

created a simple form/report application using the wizard and no modification of any kind and I can do everything except apply changes to any field on form screen -
got the following error:
Unable to fetch custom authentication function body in application - HTTP 500 Internal Server Error
any ideas??
Thanks.

I am using data base account.
more info:
the table I am working with is an existing table with large number of columns. to simplify testing I created the following table as a select from original table:
CREATE TABLE APPS.FGS_TEMP_2
TASK_ID NUMBER(15) NOT NULL,
PROJECT_ID NUMBER(15),
TASK_NUMBER VARCHAR2(25 BYTE) NOT NULL
CREATE UNIQUE INDEX APPS.FGS_TEMP_2_IDX1 ON APPS.FGS_TEMP_2
(TASK_ID)
LOGGING
ALTER TABLE APPS.FGS_TEMP_2 ADD (
CONSTRAINT FGS_TEMP_2_CON
PRIMARY KEY
(TASK_ID)
USING INDEX APPS.FGS_TEMP_2_IDX1);
and again used wizard to create a simple tabular form to view and edit - now I am able to edit and apply changes to PROJECT_ID , TASK_NUMBER but not TASK_ID ?? which I guess is a different problem.
here is the table I am trying to create the form for to edit and add - this is an existing table with few thousands rows.
CREATE TABLE HED.EDD_CPR_EMP
EDD_CPR_ID NUMBER NOT NULL,
UNIQUE_PAYROLL_ID VARCHAR2(10 BYTE) NOT NULL,
CPR_PERSON_ID NUMBER,
LEGACY_PAYROLL VARCHAR2(7 BYTE),
GEN_LEGACY_PAYROLL_FLAG VARCHAR2(1 BYTE),
LOGIN_ID VARCHAR2(7 BYTE),
BEMS_ID VARCHAR2(10 BYTE),
STD_USER_ID VARCHAR2(10 BYTE),
STD_UNIX_ID VARCHAR2(10 BYTE),
CMS_PERSON_ID NUMBER,
PERSON_TITLE VARCHAR2(10 BYTE),
FIRST_NAME VARCHAR2(30 BYTE),
MIDDLE_INITIAL VARCHAR2(1 BYTE),
LAST_NAME VARCHAR2(40 BYTE),
SUFFIX VARCHAR2(10 BYTE),
EXT_FULL_NAME VARCHAR2(80 BYTE),
KNOWN_AS VARCHAR2(30 BYTE),
ORIGINAL_HIRE_DATE DATE,
BENEFIT_DATE DATE,
LAST_HIRE_DATE DATE,
HIRE_CODE VARCHAR2(30 BYTE),
HIRE_CODE_DESC VARCHAR2(30 BYTE),
TERMINATION_DATE DATE,
TERMINATION_REASON_CODE VARCHAR2(3 BYTE),
TERMINATION_REASON_DESC VARCHAR2(30 BYTE),
LAST_DAY_WORKED DATE,
BADGE_EXPIRATION_DATE DATE,
ACCT_BUSINESS_UNIT VARCHAR2(2 BYTE),
ACCT_LOCATION VARCHAR2(2 BYTE),
ACCT_DEPARTMENT VARCHAR2(4 BYTE),
ACCT_BUSINESS_UNIT_DESC VARCHAR2(30 BYTE),
ACCT_LOCATION_DESC VARCHAR2(30 BYTE),
ACCT_DEPARTMENT_DESC VARCHAR2(30 BYTE),
HR_DEPARTMENT VARCHAR2(10 BYTE),
HR_ORG_LEVEL_CODE VARCHAR2(15 BYTE),
HR_ORG_STRUCTURE_CODE VARCHAR2(12 BYTE),
HR_ORG_FUNCTION_CODE VARCHAR2(2 BYTE),
HR_DEPARTMENT_DESC VARCHAR2(30 BYTE),
HR_ORG_LEVEL_DESC VARCHAR2(30 BYTE),
HR_ORG_STRUCTURE_DESC VARCHAR2(51 BYTE),
HR_ORG_FUNCTION_DESC VARCHAR2(30 BYTE),
HR_PARENT_DEPARTMENT VARCHAR2(10 BYTE),
US_PERSON_STATUS VARCHAR2(30 BYTE),
SHIFT VARCHAR2(1 BYTE),
SCHEDULED_WORK_WEEK_HOURS VARCHAR2(3 BYTE),
PART_TIME_CODE VARCHAR2(1 BYTE),
EXPLICIT_EMAIL_ADDRESS VARCHAR2(240 BYTE),
STABLE_EMAIL_ADDRESS VARCHAR2(240 BYTE),
URL_ADDRESS VARCHAR2(240 BYTE),
PERSON_STATUS_CODE VARCHAR2(1 BYTE),
PERSON_STATUS_DESC VARCHAR2(12 BYTE),
PERSON_TYPE_CODE VARCHAR2(1 BYTE),
PERSON_TYPE_DESC VARCHAR2(16 BYTE),
HRMS_STATUS_CODE VARCHAR2(1 BYTE),
HRMS_STATUS_DESC VARCHAR2(30 BYTE),
MANAGER_BEMS_ID VARCHAR2(10 BYTE),
MANAGER_NAME VARCHAR2(85 BYTE),
SJC_OCCUPATION_CODE VARCHAR2(2 BYTE),
SJC_JOB_FAMILY_CODE VARCHAR2(2 BYTE),
SJC_FLSA_CODE VARCHAR2(1 BYTE),
SJC_LEVEL_CODE VARCHAR2(1 BYTE),
SJC_SMC_CODE VARCHAR2(3 BYTE),
EEO1_CAT_CODE VARCHAR2(1 BYTE),
SJC_OCCUPATION_DESC VARCHAR2(25 BYTE),
SJC_JOB_FAMILY_DESC VARCHAR2(25 BYTE),
SJC_FLSA_DESC VARCHAR2(30 BYTE),
SJC_SMC_DESC VARCHAR2(25 BYTE),
EEO1_CAT_DESC VARCHAR2(25 BYTE),
HOURLY_JOB_CODE VARCHAR2(5 BYTE),
JOB_TITLE VARCHAR2(60 BYTE),
HOURLY_GRADE VARCHAR2(2 BYTE),
HOURLY_UNION_CODE VARCHAR2(20 BYTE),
HOURLY_UNION_DESC VARCHAR2(60 BYTE),
DIRECT_INDIRECT_CODE VARCHAR2(1 BYTE),
MANAGEMENT_LEVEL_CODE VARCHAR2(1 BYTE),
MANAGEMENT_LEVEL_DESC VARCHAR2(30 BYTE),
TEMPORARY_ASSIGNMENT_CODE VARCHAR2(1 BYTE),
WORK_SCHEDULE_CODE VARCHAR2(30 BYTE),
ROLE_TYPE VARCHAR2(1 BYTE),
ROLE_DESCRIPTION VARCHAR2(13 BYTE),
PERSON_CREATION_DATE DATE,
PERSON_LAST_UPDATE_DATE DATE,
LOCATION1_BUILDING_NUMBER VARCHAR2(6 BYTE),
LOCATION1_FLOOR_NUMBER VARCHAR2(6 BYTE),
LOCATION1_ROOM_NUMBER VARCHAR2(6 BYTE),
LOCATION1_STREET_ADDRESS1 VARCHAR2(60 BYTE),
LOCATION1_STREET_ADDRESS2 VARCHAR2(60 BYTE),
LOCATION1_STREET_ADDRESS3 VARCHAR2(60 BYTE),
LOCATION1_CITY VARCHAR2(30 BYTE),
LOCATION1_STATE VARCHAR2(2 BYTE),
LOCATION1_POSTAL_CODE VARCHAR2(30 BYTE),
LOCATION1_COUNTRY VARCHAR2(70 BYTE),
LOCATION1_LAST_UPDATE_DATE DATE,
LOCATION2_BUILDING_NUMBER VARCHAR2(6 BYTE),
LOCATION2_FLOOR_NUMBER VARCHAR2(6 BYTE),
LOCATION2_ROOM_NUMBER VARCHAR2(6 BYTE),
LOCATION2_STREET_ADDRESS1 VARCHAR2(60 BYTE),
LOCATION2_STREET_ADDRESS2 VARCHAR2(60 BYTE),
LOCATION2_STREET_ADDRESS3 VARCHAR2(60 BYTE),
LOCATION2_CITY VARCHAR2(30 BYTE),
LOCATION2_STATE VARCHAR2(2 BYTE),
LOCATION2_POSTAL_CODE VARCHAR2(30 BYTE),
LOCATION2_COUNTRY VARCHAR2(70 BYTE),
LOCATION2_LAST_UPDATE_DATE DATE,
MAIL1_SITE_CODE VARCHAR2(3 BYTE),
MAIL1_STATION VARCHAR2(10 BYTE),
MAIL1_LAST_UPDATE_DATE DATE,
MAIL2_SITE_CODE VARCHAR2(3 BYTE),
MAIL2_STATION VARCHAR2(10 BYTE),
MAIL2_LAST_UPDATE_DATE DATE,
WORK_PHONE1 VARCHAR2(20 BYTE),
WORK_PHONE1_LAST_UPDATE_DATE DATE,
WORK_PHONE2 VARCHAR2(20 BYTE),
WORK_PHONE2_LAST_UPDATE_DATE DATE,
CELLULAR1 VARCHAR2(20 BYTE),
CELLULAR1_LAST_UPDATE_DATE DATE,
CELLULAR2 VARCHAR2(20 BYTE),
CELLULAR2_LAST_UPDATE_DATE DATE,
PAGER1 VARCHAR2(20 BYTE),
PAGER1_PIN VARCHAR2(30 BYTE),
PAGER1_LAST_UPDATE_DATE DATE,
PAGER2 VARCHAR2(20 BYTE),
PAGER2_PIN VARCHAR2(30 BYTE),
PAGER2_LAST_UPDATE_DATE DATE,
PAGER3 VARCHAR2(20 BYTE),
PAGER3_PIN VARCHAR2(30 BYTE),
PAGER3_LAST_UPDATE_DATE DATE,
FAX VARCHAR2(20 BYTE),
FAX_LAST_UPDATE_DATE DATE,
CREATED_BY NUMBER,
CREATION_DATE DATE,
LAST_UPDATED_BY NUMBER,
LAST_UPDATE_DATE DATE,
REQUEST_ID NUMBER(15),
PROGRAM_APPLICATION_ID NUMBER(15),
PROGRAM_ID NUMBER(15),
PROGRAM_UPDATE_DATE DATE,
LAST_UPDATE_LOGIN NUMBER,
WIN2K_CREATED_BY VARCHAR2(25 BYTE),
WIN2K_UPDATED_BY VARCHAR2(25 BYTE),
L3_EMP_ID VARCHAR2(9 BYTE),
MANAGER_CPR_ID NUMBER,
SALARY_JOB_CODE VARCHAR2(10 BYTE),
JOB_FLSA VARCHAR2(10 BYTE),
BADGE_NUMBER VARCHAR2(50 BYTE)
Thanks for the help.

Can Actions Menu of Interactive Reports work with Custom Authentication?

My testing is leading my to believe that Actions Menu do not work with Custom Authentication (but only work with APEX Authentication) in APEX 3.1.2? If that's true then is there a work around to this?
Just to clarify, I've posted/asked this question twice before:
1) Re: Actions Menu in Interactive Reports does not sort, filter, select cols etc
2) Interactive Report actions don't work for users (i.e. for non-developers)
But I've come to believe this is the main problem. I just don't know how to resolve/work around this?
Thanks for any help.

I haven't setup a sample because my custom authentication is using LDAP authentication. I'm not sure how I can replicate that on the samples server?
I'm using LDAP authentication with a Page Sentry function. My further testing reveals that the Page Sentry function is setting the APEX variable user to NULL (ie blank) whenever there's any code in the Page Sentry function box. PL/SQL code as simple as
BEGIN return TRUE; END;
in the Page Sentry function box sets the "user" is set to <null>. When the Page sentry function box is left empty (no code specified) it sets the "user" properly after authentication against the specified LDAP directory.
What all this has to do with Interactive Reports...
It seems like when the user is NULL it messes-up Interactive Reports that are stored in the flows database. Although it shows the default report properly, but no runtime interactive actions (filtering, sorting, column break, etc.) work.
Can someone please correct or confirm this?
Thanks.

Can Customer Master changes to Vendor Master Automatic

Hello Sir,
We are implementing SAP for the General Insurance Company. Here ones the policy is generated from the customer. if the customer met with accident then that customer will be vendor.
Can Customer be vendor Automatic at the time of the payment.

I believe you have to link the Customer's and Vendor's Master Data in FK02 and FD02. It does not have to be the same number, but it helps when you are reporting because it makes it easier to spot and link their data.
Best regards,
Julio Gomez

Problems with custom authentication when migrating from 3.2 to 4.1.1

Hi,
we’re about to upgrade our APEX instances to 4.1.1 and to migrate our applications. I encountered some problems with our custom authentication schema.
1. Recognize already authenticated sessions: in 3.2 the sentry function could return false as long as the user was not authenticated. Public pages could still be displayed (including the login page). The result of the function apex_custom_auth.is_session_valid returned false until once the sentry function returned true. How can I recognize non authenticated sessions in 4.1.1? I looked for the test the Condition “User is the public user (user has not authenticated)” computes on a page but didn’t found the right one. It’s not what docu states here (comparison with the public user): http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/condition001.htm#HTMDB25943. I replaced the test with p_authentication.username = ‘nobody’. It works. But that doesn’t seem to me to be the right way …
2. Post_logout lacks session context: the Post Logout Procedure does not receive a session_id and username. Neither the V(‘APP_SESSION’) nor p_authentication.session_id are set. This applies to both plugin authentication schemes and non-plugin custom authentication schemes. Is there another way to obtain the logged-out sessions infos or is this a bug?
See apex.oracle.com for a demo, workspace WS_MW, gast/gast. Can someone please guide me the way?
Michael

Hello again,
there are no replies until now .... I reviewed some posts regarding custom authentication again and did not find any solution for the issues. Found some that worked with APEX 3.2.1 but not with 4.1.1. I can only work around
1.) in an insecure way, because the non documented (?) user "nobody" can change and all new sessions will be considered authenticated
2.) in a way, that ends up in implementing the logout from the non apex environment outside the authentication schema or authentication plugin.
May be I should contact support for at least the second issue because this doesn't work as documented or am I doing something wrong?
Michael

Custom authentication scheme: Invalid Session Target

Yesterday I spent a lot of time figuring out what was happening and I'm not sure if this is a bug or a feature...
Create an application with some public pages (1,2,101) and some non-public pages (3,4).
Created a list on page 0 listing all pages but only listing page 3 and 4 when user is logged in.
Created a custom authentication scheme.
Running the application showed me the page 1 and the list containing 1,2,101.
I could navigate to 101 and then log in after which I was taken to page 1 showing only 1,2,101.
I changed page 101 so that it would take me to page 3 after logging in and it did. The list showed me 1,2,101,3,4 and the username was also visible.
I could visit all pages correctly except page 1. Whenever I navigated to page 1 I effectively got logged out.
Finally I discovered that I had set "Invalid Session Target" to page 1 in my authentication scheme.
Is this the intended effect ?

Rene,
When a page is selected in the authentication scheme's Invalid Session Page LOV, it gets designated as "the login page". Whenever this page is rendered, APP_USER is null and APP_SESSION is a new session ID. This accounts for what you saw. It's sort of a quirk more than a bug or feature and we ought to properly document this behavior. If, for some reason, you needed a login page that you could navigate back to (after login) in the current session and using the current APP_USER value, you can deselect the page from the Invalid Session Page LOV in the authentication scheme and instead code this in the Invalid Session URL:
f?p=&APP_ID.:101:&APP_SESSION.
...using 101 as the login page, but it can be any page ID as long as it's a public page.
Scott

URGENT help required : Custom Authentication Plugin for validation of users

Hi Experts.
I'm a newbie and am stuck in middle of nowhere.
I have been asked to develop a custom authentication plug-in which would validate a user using the attributes such as a userid and a shared-userid.
shared-userid is just a custom id that would be generated on the basis of some logic.
Currently I'm using OAM 10.1.4.3.0 on WINDOWS server and as everybody, I'm also not able to find any sample files or sample folder structure.
As per one of the other threads https://forums.oracle.com/forums/thread.jspa?messageID=3838474, sample code and sample folders are removed from this particular version and were present in some previous version.
So, can anyone please help me out with the following:
1. How can I proceed to accomplish this task, i.e. to check whether a user-id and a shared-userid both are validated and a user is granted access.
2. Are all of these files required to create a custom authentication plug-in or can we proceed only with the ".c" file (i.e. make file, authn.c, and a dll file made using the make file and .c file)
3. Can anybody provide me with a sample file or a sample code written in "C" wherein the plug-in connects to the LDAP and searches for a particular dn for comparison or something. Also a sample make file for windows to convert the .c file to .dll.
PLEASEEEE help me ASAP.
Regards
Edited by: 805912 on Nov 15, 2011 7:18 PM

Hi,
Regarding question 2, you also need the header file is supplied in the Access Server installation directory, under ...access\oblix\sdk\authn_api and is called authn_api.h. you need this to build the dll which must then be placed in the Access Server's ...\access\oblix\lib directory.
Regarding question 3, if you install an earlier version of the Access Server, ie 10.1.4.2 or less, then you will get a \access\oblix\sdk\authentication\samples\authn_api directory that contains a basic sample authentication plugin. However, there is still documented in the 10.1.4.3 Developer Guide another sample plugin, simplapi.c, in the 10.1.4.3 Developer Guide with instructions on how to use it. It does work, but unfortunately requires a couple of edits to get it working after copy&pasting it (no code changes, just fairly obvious case changes eg changing ObanPlugin* to ObAnPlugin*). I used the following commands to get it to compile into a .so file on unix:
g++44 -c -fPIC -Wno-deprecated -m32 simpleapi.c
g++44 -shared -nostdlib -lc -m32 simpleapi.o -o simpleapi.so
but I really would not know if or how these translate into a Windows environment.
Regards,
Colin
Edited by: ColinPurdon on Nov 15, 2011 2:50 PM

Custom Authenticator WL startup exception

Hi, I am using Weblogic 9.2 on Linux and have created an example custom authenticator.
I have followed several suggested method for creation/deployment, but still am having a exception upon startup and hoping someone could help.
from a previous post I have used the below instructions and have deployed the jar in $WL_HOME/server/lib/mbeantypes
$WL_HOME/server/providers: This is the base Directory for Customer security Provider.
$WL_HOME/server/providers/src This is the directory for the Source Code.
$WL_HOME/server/providers/providersjar This is the directory for the Custom Provider Jar file .
$WL_HOME/server/providers/created_files This is the Directory for the created schema file by Mbean maker.
After having the directory structure as mentioned above run the command as below:
cd $WL_HOME/server
$WL_HOME/samples/domains/wl_server/setExamplesEnv.sh
java -Dfiles=providers/created_files -DMDF=providers/src/MyAuthenticator.xml -DMJF=providers/providersjar/MyAuthenticator.jar -DpreserveStubs=true -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMakerStarted the WL server with the following exception:
starting weblogic with Java version:
java version "1.5.0_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_12-b04)
BEA JRockit(R) (build R27.4.0-90_CR358515-94243-1.5.0_12-20080118-1154-linux-ia32, compiled mode)
Starting WLS with line:
/home/A470231/bea/jrockit_150_12/bin/java -jrockit -Xms256m -Xmx512m -Xverify:none -Xverify:none -da -Dplatform.home=/home/A470231/bea/weblogic92 -Dwls.home=/home/A470231/bea/weblogic92/server -Dwli.home=/home/A470231/bea/weblogic92/integration -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/home/A470231/bea/patch_weblogic923/profiles/default/sysext_manifest_classpath -Dweblogic.configuration.schemaValidationEnabled=false -Dweblogic.Name=examplesServer -Djava.security.policy=/home/A470231/bea/weblogic92/server/lib/weblogic.policy weblogic.Server
<Aug 2, 2010 1:14:57 PM EDT> <Notice> <WebLogicServer> <BEA-000395> <Following extensions directory contents added to the end of the classpath:
/home/A470231/bea/weblogic92/platform/lib/p13n/p13n-schemas.jar:/home/A470231/bea/weblogic92/platform/lib/p13n/p13n_common.jar:/home/A470231/bea/weblogic92/platform/lib/p13n/p13n_system.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/netuix_common.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/netuix_schemas.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/netuix_system.jar:/home/A470231/bea/weblogic92/platform/lib/wlp/wsrp-common.jar>
<Aug 2, 2010 1:14:58 PM EDT> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with BEA JRockit(R) Version R27.4.0-90_CR358515-94243-1.5.0_12-20080118-1154-linux-ia32 from BEA Systems, Inc.>
<Aug 2, 2010 1:14:59 PM EDT> <Info> <Management> <BEA-141107> <Version: WebLogic Server 9.2 MP3 Mon Mar 10 08:28:41 EDT 2008 1096261 >
<Aug 2, 2010 1:15:03 PM EDT> <Info> <WebLogicServer> <BEA-000215> <Loaded License : /home/A470231/bea/license.bea>
<Aug 2, 2010 1:15:03 PM EDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Aug 2, 2010 1:15:03 PM EDT> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Aug 2, 2010 1:15:04 PM EDT> <Notice> <Log Management> <BEA-170019> <The server log file /home/A470231/bea/weblogic92/samples/domains/wl_server/servers/examplesServer/logs/examplesServer.log is opened. All server side log events will be written to this file.>
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.CredentialMappingServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.ApplicationVersioningServiceConfigHelper_TestRealm<
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.BulkRoleMappingServiceConfigHelper_TestRealm<
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.BulkAuthorizationServiceConfigHelper_TestRealm<
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.RoleMappingServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.RoleDeploymentServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.ApplicationVersioningServiceConfigHelper_TestRealm<
*****************REALM:TestRealm
*****************ProviderMBean length:2
*****************ProviderMBean[0]weblogic.security.providers.authorization.DefaultAuthorizerMBeanImpl@a27aaa68([wl_server]/SecurityConfiguration[wl_server]/Realms[TestRealm]/Authorizers[DefaultAuthorizer])
*****************ProviderMBean[1]weblogic.security.providers.authorization.DefaultAdjudicatorMBeanImpl@c6697d45([wl_server]/SecurityConfiguration[wl_server]/Realms[TestRealm]/Adjudicator[DefaultAdjudicator])
*****************SERVICE:>com.bea.common.security.internal.legacy.helper.AuthorizationServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.PolicyDeploymentServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.IsProtectedResourceServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.ApplicationVersioningServiceConfigHelper_TestRealm<
*****************SERVICE:>weblogic.security.service.internal.RoleConsumerServiceConfigHelper_TestRealm<
<Aug 2, 2010 1:15:07 PM EDT> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:
There are 1 nested errors:
weblogic.security.service.SecurityServiceRuntimeException: [Security:090877]Service Common AuthorizationService unavailable, see exception text: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name is not specified.
at weblogic.security.service.AuthorizationManager.initialize(AuthorizationManager.java:147)
at weblogic.security.service.AuthorizationManager.<init>(AuthorizationManager.java:83)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doATZ(CommonSecurityServiceManagerDelegateImpl.java:348)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:273)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:444)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:459)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:540)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:376)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
Caused by: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:342)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:292)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:263)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:71)
at weblogic.security.service.SecurityServiceManager.getService(SecurityServiceManager.java:95)
at weblogic.security.service.AuthorizationManager.initialize(AuthorizationManager.java:137)
... 11 more
Caused by: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:40)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:340)
... 16 more
Can anyone have any ideas?
I have narrowed it down to having a problem retrieving the role and policy consumer services I believe
Thanks,
Bobby.

Hi All,
Found the reason for the exception. I was implementing the generated the CustomAuthenticatorImpl class (generated through WebLogic MBeanMaker utility) as the provider class by implementing the AuthenticationProvider interface. Keeping them separate solved the issue.
Able to create the jar without any issues and also no error or exception after restart.
Thanks.

Custom Authentication Provider and User Manage like SQLAuthenticator, How?

Hi everyone,
I faced a problem with login function of my portal (Webcenter Application). The Problem is:
- Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
- If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
- View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
Here are my work:
- I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
- I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
Here are my Code:
<?xml version="1.0" ?>
<MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
 Package = "orkit"
 Extends = "weblogic.management.security.authentication.Authenticator"
 PersistPolicy = "OnUpdate">
 <MBeanAttribute
 Name = "ProviderClassName"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""orkit.OrkitVASPortalProviderImpl""
/>
 <MBeanAttribute
 Name = "Description"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""WebLogic Simple Sample Audit Provider""
/>
 <MBeanAttribute
 Name = "Version"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""1.0""
/>
 <MBeanAttribute
 Name = "LogFileName"
 Type = "java.lang.String"
 Default = ""SimpleSampleAuditor.log""
/>
</MBeanType>
package orkit;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.*;
public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
 private String description;
 private LoginModuleControlFlag controlFlag;
 public OrkitVASPortalProviderImpl() {
 System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
 @Override
 public IdentityAsserterV2 getIdentityAsserter() {
 return null;
 // Our mapping of users to passwords/groups, instead of being in LDAP or in a
 // database, is represented by a HashMap of MyUserDetails objects..
 public class MyUserDetails {
 String pw;
 String group;
 // We use this to represent the user's groups and passwords
 public MyUserDetails(String pw, String group) {
 this.pw = pw;
 this.group = group;
 public String getPassword() {
 return pw;
 public String getGroup() {
 return group;
 // This is our database
 private HashMap userGroupMapping = null;
 public void initialize(ProviderMBean mbean, SecurityServices services) {
 System.out.println("The Orkit VASPortal Provider is intializing......");
 OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
 description = myMBean.getDescription() + "\n" + myMBean.getVersion();
 System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
 // We would typically use the realm name to find the database
 // we want to use for authentication. Here, we just create one.
 userGroupMapping = new HashMap();
 userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
 userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
 userGroupMapping.put("system", new MyUserDetails("12341234",
 "Administrators"));
 String flag = myMBean.getControlFlag();
 if (flag.equalsIgnoreCase("REQUIRED")) {
 controlFlag = LoginModuleControlFlag.REQUIRED;
 } else if (flag.equalsIgnoreCase("OPTIONAL")) {
 controlFlag = LoginModuleControlFlag.OPTIONAL;
 } else if (flag.equalsIgnoreCase("REQUISITE")) {
 controlFlag = LoginModuleControlFlag.REQUISITE;
 } else if (flag.equalsIgnoreCase("SUFFICIENT")) {
 controlFlag = LoginModuleControlFlag.SUFFICIENT;
 } else {
 throw new IllegalArgumentException("Invalid control flag " + flag);
 public AppConfigurationEntry getLoginModuleConfiguration() {
 HashMap options = new HashMap();
 options.put("usermap", userGroupMapping);
 System.out.println("UserMap: " + options);
 return new AppConfigurationEntry(
 "orkit.OrkitVASPortalLoginModule",
 controlFlag, options);
 public String getDescription() {
 return description;
 public PrincipalValidator getPrincipalValidator() {
 return new PrincipalValidatorImpl();
 public AppConfigurationEntry getAssertionModuleConfiguration() {
 return null;
// public IdentityAsserter getIdentityAsserter() {
// return null;
 public void shutdown() {
* To change this template, choose Tools | Templates
* and open the template in the editor.
package orkit;
import orkit.OrkitVASPortalProviderImpl;
import java.io.IOException;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* This login module will be called by our Authentication Provider. It assumes
* that the option, usermap, will be passed which contains the map of users to
* passwords and groups.
public class OrkitVASPortalLoginModule implements LoginModule {
 private Subject subject;
 private CallbackHandler callbackHandler;
 private HashMap userMap;
 // Authentication status
 private boolean loginSucceeded;
 private boolean principalsInSubject;
 private Vector principalsBeforeCommit = new Vector();
 public void initialize(Subject subject, CallbackHandler callbackHandler,
 Map sharedState, Map options) {
 this.subject = subject;
 this.callbackHandler = callbackHandler;
 // Fetch user/password map that should be set by the authenticator
 userMap = (HashMap) options.get("usermap");
 * Called once after initialize to try and log the person in
 public boolean login() throws LoginException {
 // First thing we do is create an array of callbacks so that
 // we can get the data from the user
 Callback[] callbacks;
 callbacks = new Callback[2];
 callbacks[0] = new NameCallback("username: ");
 callbacks[1] = new PasswordCallback("password: ", false);
 try {
 callbackHandler.handle(callbacks);
 } catch (IOException eio) {
 throw new LoginException(eio.toString());
 } catch (UnsupportedCallbackException eu) {
 throw new LoginException(eu.toString());
 String username = ((NameCallback) callbacks[0]).getName();
 System.out.println("Username: " + username);
 char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
 String password = new String(pw);
 System.out.println("PASSWORD: " + password);
 if (username.length() > 0) {
 if (!userMap.containsKey(username)) {
 throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
 }else{
 System.out.println("Contstainded Username");
 String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
 if (realPassword == null || !realPassword.equals(password)) {
 throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
 }else{
 System.out.println("Everyitng OKIE");
 } else {
 // No Username, so anonymous access is being attempted
 loginSucceeded = true;
 // We collect some principals that we would like to add to the user
 // once this is committed.
 // First, we add his username itself
 principalsBeforeCommit.add(new WLSUserImpl(username));
 // Now we add his group
 principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
 return loginSucceeded;
 public boolean commit() throws LoginException {
 if (loginSucceeded) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = true;
 return true;
 } else {
 return false;
 public boolean abort() throws LoginException {
 if (principalsInSubject) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = false;
 return true;
 public boolean logout() throws LoginException {
 return true;
}and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
Can someome help.
Thanks in advance!

Hi ,
SQLAuthenticator is not yet supported with UCM 11g due to some JPS Provider limitations .
Currently there is an Enhancement request for this .
Thanks
Srinath

Custom Authentication With Identity Store

Hi everyone,
I faced a problem with login function of my portal (Webcenter Application). The Problem is:
- Allow the users logging in by user that store in another system. I must communicate using low level of socket. This really is not a problem.
- If user logged in, for first time of logging in, i must store them in some identity store (Maybe tables database).
- View Users in Weblogic Console. To do that, i known that i must implemeted something that i dont what that are.
Here are my work:
- I Created a Custom Authentication Provider. And configuration in Admin Console. But i don't know what are that i should implementing to View user & group in Admin Console.
- I Cannot logging in: After i created simple application for testing, i cannot logging in even i tested with SQLAuthenticator Provider and original DefaultProvider. In Logging Console, I saw every I Printed In The Code of Login Module.
Here are my Code:
<?xml version="1.0" ?>
<MBeanType Name = "OrkitVASPortal" DisplayName = "OrkitVASPortal"
 Package = "orkit"
 Extends = "weblogic.management.security.authentication.Authenticator"
 PersistPolicy = "OnUpdate">
 <MBeanAttribute
 Name = "ProviderClassName"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""orkit.OrkitVASPortalProviderImpl""
/>
 <MBeanAttribute
 Name = "Description"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""WebLogic Simple Sample Audit Provider""
/>
 <MBeanAttribute
 Name = "Version"
 Type = "java.lang.String"
 Writeable = "false"
 Default = ""1.0""
/>
 <MBeanAttribute
 Name = "LogFileName"
 Type = "java.lang.String"
 Default = ""SimpleSampleAuditor.log""
/>
</MBeanType>
package orkit;
import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.spi.*;
public final class OrkitVASPortalProviderImpl implements AuthenticationProviderV2 {
 private String description;
 private LoginModuleControlFlag controlFlag;
 public OrkitVASPortalProviderImpl() {
 System.out.println("The Orkit VASPortal Provider Implemented!!!!!");
 @Override
 public IdentityAsserterV2 getIdentityAsserter() {
 return null;
 // Our mapping of users to passwords/groups, instead of being in LDAP or in a
 // database, is represented by a HashMap of MyUserDetails objects..
 public class MyUserDetails {
 String pw;
 String group;
 // We use this to represent the user's groups and passwords
 public MyUserDetails(String pw, String group) {
 this.pw = pw;
 this.group = group;
 public String getPassword() {
 return pw;
 public String getGroup() {
 return group;
 // This is our database
 private HashMap userGroupMapping = null;
 public void initialize(ProviderMBean mbean, SecurityServices services) {
 System.out.println("The Orkit VASPortal Provider is intializing......");
 OrkitVASPortalMBean myMBean = (OrkitVASPortalMBean) mbean;
 description = myMBean.getDescription() + "\n" + myMBean.getVersion();
 System.err.println("#In realm:" + myMBean.getRealm().wls_getDisplayName());
 // We would typically use the realm name to find the database
 // we want to use for authentication. Here, we just create one.
 userGroupMapping = new HashMap();
 userGroupMapping.put("a", new MyUserDetails("passworda", "g1"));
 userGroupMapping.put("b", new MyUserDetails("passwordb", "g2"));
 userGroupMapping.put("system", new MyUserDetails("12341234",
 "Administrators"));
 String flag = myMBean.getControlFlag();
 if (flag.equalsIgnoreCase("REQUIRED")) {
 controlFlag = LoginModuleControlFlag.REQUIRED;
 } else if (flag.equalsIgnoreCase("OPTIONAL")) {
 controlFlag = LoginModuleControlFlag.OPTIONAL;
 } else if (flag.equalsIgnoreCase("REQUISITE")) {
 controlFlag = LoginModuleControlFlag.REQUISITE;
 } else if (flag.equalsIgnoreCase("SUFFICIENT")) {
 controlFlag = LoginModuleControlFlag.SUFFICIENT;
 } else {
 throw new IllegalArgumentException("Invalid control flag " + flag);
 public AppConfigurationEntry getLoginModuleConfiguration() {
 HashMap options = new HashMap();
 options.put("usermap", userGroupMapping);
 System.out.println("UserMap: " + options);
 return new AppConfigurationEntry(
 "orkit.OrkitVASPortalLoginModule",
 controlFlag, options);
 public String getDescription() {
 return description;
 public PrincipalValidator getPrincipalValidator() {
 return new PrincipalValidatorImpl();
 public AppConfigurationEntry getAssertionModuleConfiguration() {
 return null;
// public IdentityAsserter getIdentityAsserter() {
// return null;
 public void shutdown() {
* To change this template, choose Tools | Templates
* and open the template in the editor.
package orkit;
import orkit.OrkitVASPortalProviderImpl;
import java.io.IOException;
import java.util.*;
import javax.security.auth.Subject;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
* This login module will be called by our Authentication Provider. It assumes
* that the option, usermap, will be passed which contains the map of users to
* passwords and groups.
public class OrkitVASPortalLoginModule implements LoginModule {
 private Subject subject;
 private CallbackHandler callbackHandler;
 private HashMap userMap;
 // Authentication status
 private boolean loginSucceeded;
 private boolean principalsInSubject;
 private Vector principalsBeforeCommit = new Vector();
 public void initialize(Subject subject, CallbackHandler callbackHandler,
 Map sharedState, Map options) {
 this.subject = subject;
 this.callbackHandler = callbackHandler;
 // Fetch user/password map that should be set by the authenticator
 userMap = (HashMap) options.get("usermap");
 * Called once after initialize to try and log the person in
 public boolean login() throws LoginException {
 // First thing we do is create an array of callbacks so that
 // we can get the data from the user
 Callback[] callbacks;
 callbacks = new Callback[2];
 callbacks[0] = new NameCallback("username: ");
 callbacks[1] = new PasswordCallback("password: ", false);
 try {
 callbackHandler.handle(callbacks);
 } catch (IOException eio) {
 throw new LoginException(eio.toString());
 } catch (UnsupportedCallbackException eu) {
 throw new LoginException(eu.toString());
 String username = ((NameCallback) callbacks[0]).getName();
 System.out.println("Username: " + username);
 char[] pw = ((PasswordCallback) callbacks[1]).getPassword();
 String password = new String(pw);
 System.out.println("PASSWORD: " + password);
 if (username.length() > 0) {
 if (!userMap.containsKey(username)) {
 throw new FailedLoginException("Authentication Failed: Could not find user:" + username);
 }else{
 System.out.println("Contstainded Username");
 String realPassword = ((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getPassword();
 if (realPassword == null || !realPassword.equals(password)) {
 throw new FailedLoginException("Authentication Failed: Password incorrect for user" + username);
 }else{
 System.out.println("Everyitng OKIE");
 } else {
 // No Username, so anonymous access is being attempted
 loginSucceeded = true;
 // We collect some principals that we would like to add to the user
 // once this is committed.
 // First, we add his username itself
 principalsBeforeCommit.add(new WLSUserImpl(username));
 // Now we add his group
 principalsBeforeCommit.add(new WLSGroupImpl(((OrkitVASPortalProviderImpl.MyUserDetails) userMap.get(username)).getGroup()));
 return loginSucceeded;
 public boolean commit() throws LoginException {
 if (loginSucceeded) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = true;
 return true;
 } else {
 return false;
 public boolean abort() throws LoginException {
 if (principalsInSubject) {
 subject.getPrincipals().removeAll(principalsBeforeCommit);
 principalsInSubject = false;
 return true;
 public boolean logout() throws LoginException {
 return true;
}and OrkitVASPortalMBean & OrkitVASPortalImpl class created by MBeanMaker tool.
Can someome help.
Thank you very much!

When i login with the password and username from my custom authentication provider, my login module check ok, but logon form still there.

Custom Authentication using WebService

Hi,
I am trying to create a way to Authenticate my users after calling a Webservice using Custom Authentication so that they don't have to Log on twice (SSO).
Here is a brief description of what I'm trying to do:
- End Users Login and get Authenticated in an iPlanet Portal.
- Once in - they hit a link which calls my APEX Application in a new window.
- I call the Web Service that return a response telling me if they have a valid Portal session along with username etc.
- If they are logged in to our Portal - I authenticate them in APEX using Custom Authentication and allow them to continue.
I have done this so far:
- Created an After Footer Process in the Login Page(101) that calls the Web Service.
- Created an automatic Page submit on page 101 with Javascript.
- Changed the After Submit Process 'Set Username Cookie' to use the Login returned in the Web Service.
- Changed the After Submit Process 'Login' to use the Login returned in the Web Service.
- Custom Authentication is run after Page is submitted.
- The user can then run the Application.
Everything was working fine when I was already logged in to APEX as a Developer, but when I tried to run the application as a non-developer I get the Error:
ORA-01400: cannot insert NULL into ("FLOWS_030100"."WWV_FLOW_COLLECTIONS$"."USER_ID")
I now realize that my Webservice Process is trying to store the result of the Web Service call before the Login has occured - so there is no APEX User at this point.
Does anyone have a way to accomplish what I'm trying to do?
Thanks,
Bill

You should create a page sentry function based on the often-cited ntlm page sentry function discussed in this forum. That has the framework you need. Here is an example, although it's kind of old:
function modntlm_page_sentry return boolean as
    l_current_sid            number;
    l_authenticated_username varchar2(256) := OWA_UTIL.GET_CGI_ENV('REMOTE_USER');
begin
    if l_authenticated_username is null then
        return false;
    end if;
    l_current_sid := wwv_flow_custom_auth_std.get_session_id_from_cookie;
    if wwv_flow_custom_auth_std.is_session_valid then
        htmldb_application.g_instance := l_current_sid;
        if l_authenticated_username = wwv_flow_custom_auth_std.get_username then
            wwv_flow_custom_auth.define_user_session(
                p_user=>l_authenticated_username,
                p_session_id=>l_current_sid);
            return true;
        else -- username mismatch. Unset the session cookie and redirect back here to take other branch
            wwv_flow_custom_auth_std.logout(
                p_this_flow=>v('FLOW_ID'),
                p_next_flow_page_sess=>v('FLOW_ID')||':'||nvl(v('FLOW_PAGE_ID'),0)||':'||l_current_sid);
            htmldb_application.g_unrecoverable_error := true; -- tell htmldb engine to quit
            return false;
        end if;
    else -- application session cookie not valid; we need a new htmldb session
        wwv_flow_custom_auth.define_user_session(
            p_user=>l_authenticated_username,
            p_session_id=>wwv_flow_custom_auth.get_next_session_id);
        htmldb_application.g_unrecoverable_error := true; -- tell htmldb engine to quit
        if owa_util.get_cgi_env('REQUEST_METHOD') = 'GET' then
            wwv_flow_custom_auth.remember_deep_link(p_url=>'f?'||wwv_flow_utilities.get_cgi_query_string_decoded);
        else
            wwv_flow_custom_auth.remember_deep_link(p_url=>'f?p='||
                to_char(htmldb_application.g_flow_id)||':'||
                to_char(nvl(htmldb_application.g_flow_step_id,0))||':'||
                to_char(htmldb_application.g_instance));
        end if;
        wwv_flow_custom_auth_std.post_login( -- register session in htmldb sessions table,set cookie,redirect back
            p_uname     => l_authenticated_username,
            p_flow_page => htmldb_application.g_flow_id||':'||nvl(htmldb_application.g_flow_step_id,0));
        return false;
    end if;
end modntlm_page_sentry;You would replace this:
l_authenticated_username varchar2(256) := OWA_UTIL.GET_CGI_ENV('REMOTE_USER');
...with whatever statement will allow you to get the authentication status and authenticated user name from the environment, from HTTP headers, or from some other external source.
Then you would put this into the page sentry function attribute of the authentication scheme for your application:
return modntlm_page_sentry;
Of course you can name it anything you like but it should be compiled in your applicaiton's parsing schema.
Scott

Issue in Custom Authentication

Hi All,
I created a new custom authentication. I specified the function name in the authentication scheme. My code seems to be working fine(boolean condition works) but the authentication fails. Below is the package. Is there any other conditions I need to setup when creating authenticate.
can anyone please suggest.
create or replace package body app_login
is
Function get_hash(p_input IN varchar2)
return varchar2
is
begin
RETURN UPPER(DBMS_OBFUSCATION_TOOLKIT.MD5 (
 INPUT => UTL_I18N.STRING_TO_RAW(P_INPUT)));
 -- return p_input;
end get_hash;
FUNCTION valid_user(p_username IN VARCHAR2 ,p_password IN VARCHAR2)
return boolean
is
v_hash varchar2(200);
V_RESULT number;
v_pwd DEMO1_USER.PASSWORD%type;
begin
v_hash:=app_login.get_hash(P_USERNAME || P_PASSWORD);
SELECT COUNT(*)
 INTO V_RESULT
 FROM DEMO1_USER
 WHERE UPPER(USERNAME) = UPPER(P_USERNAME)
 AND UPPER(PASSWORD) = UPPER(V_HASH);
IF V_RESULT > 0 THEN
 RETURN TRUE;
 ELSE
 RETURN FALSE;
 END IF;
end valid_user;
Procedure add_user(p_username IN VARCHAR2 ,p_password IN VARCHAR2)
is
v_pwd_hash varchar2(200);
begin
v_pwd_hash:=app_login.get_hash(P_USERNAME || P_PASSWORD);
insert into demo1_user values(APP_USER_SEQ.nextval,p_username,v_pwd_hash);
commit;
end add_user;
end app_login;
Thanks
Raj

Hello Raj,
It's working now..
try hari1/hari1 to log-in to your application.
CREATE OR REPLACE
PACKAGE body app_login
IS
 FUNCTION get_hash(
 p_input IN VARCHAR2)
 RETURN VARCHAR2
 IS
 --v_hash varchar2(200);
 BEGIN
 RETURN UPPER(DBMS_OBFUSCATION_TOOLKIT.MD5 (
 INPUT => UTL_I18N.STRING_TO_RAW(P_INPUT)));
 -- return p_input;
 END get_hash;
 FUNCTION valid_user(
 p_username IN VARCHAR2 ,
 p_password IN VARCHAR2)
 RETURN BOOLEAN
 IS
 --v_username DEMO1_USER.USERNAME%type;
 --v_password DEMO1_USER.PASSWORD%rowtype;
 v_hash VARCHAR2(200);
 V_RESULT NUMBER;
 v_pwd DEMO1_USER.PASSWORD%type;
 BEGIN
 /*Added UPPER to p_username*/
 v_hash:=app_login.get_hash(UPPER(P_USERNAME) || P_PASSWORD);
 --select count(*) into v_exists from DEMO1_USER where password=v_hash and upper(username)=upper(p_username);
 SELECT COUNT(*)
 INTO V_RESULT
 FROM DEMO1_USER
 WHERE UPPER(USERNAME) = UPPER(P_USERNAME)
 AND UPPER(PASSWORD) = UPPER(V_HASH);
 /*Here condition was V_RESULT < 0 which will always fail */
 IF V_RESULT = 1 THEN
 RETURN TRUE;
 ELSE
 RETURN FALSE;
 END IF;
 END valid_user;
 PROCEDURE add_user(
 p_username IN VARCHAR2 ,
 p_password IN VARCHAR2)
 IS
 v_pwd_hash VARCHAR2(200);
 BEGIN
 /*Added UPPER to p_username*/
 v_pwd_hash:=app_login.get_hash(UPPER(P_USERNAME) || P_PASSWORD);
 INSERT INTO demo1_user VALUES
 (APP_USER_SEQ.nextval,p_username,v_pwd_hash
 COMMIT;
 END add_user;
END app_login;Regards,
Hari

Can Custom Authentication Procedure Change APP_USER?

Similar Messages

Maybe you are looking for